Prerequisites for AWS

Refer to the following topics for details:

Subscribe to GigaVUE Cloud Suite Components

To deploy the GigaVUE Cloud Suite for AWS from the AWS Marketplace, you can subscribe to the following GigaVUE Cloud Suite components. 

  • GigaVUE V Series Node

  • GigaVUE V Series Proxy

  • GigaVUE V Series Controller

  • GigaVUE‑FM BYOL.

Note: You will not be charged for subscribing to the components.

To subscribe to the GigaVUE components, perform the following steps:

  1. Login to your AWS account.
  2. Go to https://aws.amazon.com/marketplace/.
  3. In the Search field, type Gigamon and click Search.
  4. Select the latest GigaVUE Cloud Suite version link from the list for Gigamon products.
  5. Click Continue to Subscribe.

Recommended Instance Types for AWS

Product

Instance Type vCPU RAM

GigaVUE‑FM

m4.xlarge

4 vCPU

16 GB

GigaVUE V Series Node

c5n.xlarge

4 vCPU

10.5 GB

GigaVUE V Series Proxy

t2.medium

2 vCPU

4 GB

UCT-V

t2.micro

1 vCPU

1 GB

UCT-V Controller

t2.medium

2 vCPU

4 GB

AWS Security Credentials

To establish the initial connection between GigaVUE-FM and AWS, you will require the security credentials for AWS. These credentials are necessary to verify your identity and determine whether you have authorization to access the resources you are requesting. AWS employs these security credentials to authenticate and authorize your requests.

You need one of the following security credentials:

  • Identity and Access Management (IAM) role— If GigaVUE-FM is running within AWS, it is recommended to use an IAM role. By using an IAM role, you can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions are associated to the role and also ensure that you are using Customer Managed Policies or Inline Policies.
  • Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you must use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account. An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.

    Note:  To obtain the IAM role or access keys, contact your AWS administrator.

Amazon VPC

You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.

Note:  To create a VPC, refer to Create a VPC topic in the AWS Documentation.

Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:

Subnet for VPC

VPC must have a subnet to configure the GigaVUE Cloud Suite for AWS components. You can either have the components deployed in a single subnet or in multiple subnets.

  • Management Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series nodes and controllers and UCT-V Controllers.
  • Data Subnet that can accept incoming mirrored traffic from agents or be used to egress traffic to a tool.

If a single subnet is used, then the Management subnet is also used as a Data Subnet

Security Group

When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series Nodes, and UCT-V Controllers, a security group can be utilized to define virtual firewall rules for your instance, which in turn regulates inbound and outbound traffic. You can add rules to manage inbound traffic to instances, and a distinct set of rules to control outbound traffic.

It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.

The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.

Note:  When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.

GigaVUE‑FM

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

443

Administrator Subnet

Allows GigaVUE-FM to accept Management connection using REST API.

Allows users to access GigaVUE-FM UI securely through HTTPS connection.

Inbound

TCP

22

Administrator Subnet

Allows CLI access to user-initiated management and diagnostics.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

UCT-V Controller IP

Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE V Series Node IP

Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE V Series Proxy IP

Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API.

Inbound

TCP

443

UCT-C Controller IP

Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API.

Inbound

TCP

5671

GigaVUE V Series Node IP

Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes.

Inbound

TCP

5671

UCT-V Controller IP

Allows GigaVUE‑FM to receive statistics from UCT-V Controllers.

Inbound

TCP

5671

UCT-C Controller IP

Allows GigaVUE‑FM to receive statistics from UCT-C Controllers.

Inbound

UDP

2056

GigaVUE V Series Node IP

Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node.

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

TCP

9900

GigaVUE‑FM IP

Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller.

Outbound

(optional)

TCP

8890

GigaVUE V Series Proxy IP

Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy.

Outbound

TCP

8889

GigaVUE V Series Node IP

Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node.

Outbound

TCP

8443 (default)

UCT-C Controller IP

Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller.

Outbound

TCP

443

Any IP Address

Allows GigaVUE‑FM to reach the Public Cloud Platform APIs.

UCT-V Controller

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

9900

GigaVUE‑FM IP

Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM

Inbound

TCP

9900

UCT-V or Subnet IP

Allows UCT-V Controller to receive traffic health updates from UCT-V.

Inbound

(This port is used for Third Party Orchestration)

TCP

8891

UCT-V or Subnet IP

Allows UCT-V Controller to receive the registration requests from UCT-V.

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

(This port is used for Third Party Orchestration)

TCP

443

GigaVUE‑FM IP

Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API.

Outbound

TCP

9901

UCT-V Controller IP

Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs.

Outbound

TCP

5671

GigaVUE-FM IP

Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM.

UCT-V

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

9901

UCT-V Controller IP

Allows UCT-V to receive control and management plane traffic from UCT-V Controller

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

(This port is used for Third Party Orchestration)

TCP

8891

UCT-V Controller IP

Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat

Outbound

UDP (VXLAN)

VXLAN (default 4789)

GigaVUE V Series Node IP

Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes

Outbound

IP Protocol (L2GRE)

L2GRE (IP 47)

GigaVUE V Series Node IP

Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes

Outbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

GigaVUE V Series Node IP

Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node

Outbound

TCP

9900

UCT-V Controller IP

Allows UCT-V to send traffic health updates to UCT-V Controller.

GigaVUE V Series Node

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

8889

GigaVUE-FM IP

Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM

Inbound

TCP

8889

GigaVUE V Series Proxy IP

Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy.

Inbound

UDP (VXLAN)

VXLAN (default 4789)

UCT-V Subnet IP

Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V

Inbound

IP Protocol (L2GRE)

L2GRE

UCT-V Subnet IP

Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V

Inbound

UDPGRE

4754

Ingress Tunnel

Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Inbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

UCT-V subnet

Allows to securely transfer the traffic to GigaVUE V Series Nodes.

Inbound

(Optional - This port is used only for configuring AWS Gateway Load Balancer)

UDP (GENEVE)

6081

Ingress Tunnel

Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer.

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

TCP

5671

GigaVUE-FM IP

Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM.

Outbound

UDP (VXLAN)

VXLAN (default 4789)

Tool IP

Allows GigaVUE V Series Node to tunnel output to the tool.

Outbound

IP Protocol (L2GRE)

L2GRE (IP 47)

Tool IP

Allows GigaVUE V Series Node to tunnel output to the tool.

Outbound

UDP

2056

GigaVUE-FM IP

Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM.

Outbound

UDP

2055

Tool IP

Allows GigaVUE V Series Node to send NetFlow traffic to an external tool.

Outbound

UDP

514

Tool IP

Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools.

Bidirectional

(optional)

ICMP

echo request
echo reply

Tool IP

Allows GigaVUE V Series Node to send health check tunnel destination traffic.

Outbound

(This port is used for Third Party Orchestration)

TCP

8891

GigaVUE V Series Proxy IP

Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used.

Outbound

(This port is used for Third Party Orchestration)

TCP

443

GigaVUE-FM IP

Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used.

Outbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

Tool IP

Allows to securely transfer the traffic to an external tool.

GigaVUE V Series Proxy (optional)

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

8890

GigaVUE‑FM IP

Allows GigaVUE‑FM  to communicate control and management plane traffic with GigaVUE V Series Proxy.

Inbound

(This port is used for Third Party Orchestration)

TCP

8891

GigaVUE V Series Node IP

Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node.

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

TCP

443

GigaVUE-FM IP

Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM

Outbound

TCP

8889

GigaVUE V Series Node IP

Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node

Universal Cloud Tap - Container deployed inside Kubernetes worker node

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

TCP

42042

Any IP address

Allows UCT-C to send statistical information to UCT-C Controller.

Outbound

UDP

VXLAN (default 4789)

Any IP address

Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination.

UCT-C Controller deployed inside Kubernetes worker node

Direction

Protocol

Port

Source CIDR

Purpose

Inbound

TCP

8443 (configurable)

GigaVUE-FM IP

Allows GigaVUE-FM to communicate with UCT-C Controller.

Direction

Protocol

Port

Destination CIDR

Purpose

Outbound

TCP

5671

Any IP address

Allows UCT-C Controller to send statistics to GigaVUE-FM.

Outbound

TCP

443

GigaVUE-FM IP

Allows UCT-C Controller to communicate with GigaVUE-FM.

Key Pair

A key pair consists of a public key and a private key. When you define the specifications for the UCT-V Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC, you must create a key pair and specify the name of this key pair.

To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.

Permissions

If you use an account-wide policy to encrypt all volumes with KMS keys, you must add the "kms:GenerateDataKeyWithoutPlaintext" permission to the IAM policy.

For more information on permissions, see the topic Check for Required IAM Permissions.

Default Login Credentials

You can login to the GigaVUE V Series Node, GigaVUE V Series proxy, and UCT-V Controller by using the default credentials.

Product

Login credentials

GigaVUE V Series Node

You can login to the GigaVUE V Series Node by using ssh. The default username and password is:

Username: gigamon

Password: Use the SSH key.

GigaVUE V Series proxy

You can login to the GigaVUE V Series proxy by using ssh. The default username and password is:

Username: gigamon

Password: Use the SSH key.

UCT-V Controller

You can login to the GigaVUE V Series proxy by using ssh. The default username and password is:

Username: ubuntu

Password: Use the SSH key.